Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-5097

Overview

Vulnerability Score 5.5 5.5
CVE Id CVE-2011-5097
Last Modified 13 Aug 2012 12:00:00
Published 08 Aug 2012 06:26:18
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2011-5097

Summary

chef-server-api/app/controllers/cookbooks.rb in Chef Server in Chef before 0.9.18, and 0.10.x before 0.10.2, does not require administrative privileges for the update and destroy methods, which allows remote authenticated users to (1) upload cookbooks via a knife cookbook upload command or (2) delete cookbooks via a knife cookbook delete command.

Vulnerable Systems

Application

  • Opscode Chef 0.10.0

  • Opscode Chef 0.7.10

  • Opscode Chef 0.7.12

  • Opscode Chef 0.7.14

  • Opscode Chef 0.7.2

  • Opscode Chef 0.7.4

  • Opscode Chef 0.7.6

  • Opscode Chef 0.7.8

  • Opscode Chef 0.8.10

  • Opscode Chef 0.8.2

  • Opscode Chef 0.8.4

  • Opscode Chef 0.8.6

  • Opscode Chef 0.8.8

  • Opscode Chef 0.9.0

  • Opscode Chef 0.9.10

  • Opscode Chef 0.9.12

  • Opscode Chef 0.9.14

  • Opscode Chef 0.9.16

  • Opscode Chef 0.9.2

  • Opscode Chef 0.9.4

  • Opscode Chef 0.9.6

  • Opscode Chef 0.9.8


References

CONFIRM - https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26

CONFIRM - http://tickets.opscode.com/browse/CHEF-2436


Last Updated: 27 May 2016 10:53:35